Closed
Bug 1361509
Opened 7 years ago
Closed 7 years ago
coverity report: Non-static class member "mSource" is not initialized in this constructor nor in any functions that it calls.
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox53 | --- | wontfix |
firefox54 | --- | wontfix |
firefox55 | --- | fixed |
People
(Reporter: MatsPalmgren_bugz, Assigned: longsonr)
References
(Blocks 1 open bug, )
Details
(4 keywords, Whiteboard: [CID 1405753][adv-main55-][post-critsmash-triage])
Attachments
(1 file)
454 bytes,
patch
|
MatsPalmgren_bugz
:
review+
|
Details | Diff | Splinter Review |
Filing this as security sensitive just in case...
At first glance I can't find anyone initializing nsSVGGradientFrame::mSource.
** CID 1405753: Uninitialized members (UNINIT_CTOR)
/layout/svg/nsSVGGradientFrame.cpp: 34 in nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext *, mozilla::FrameType)()
________________________________________________________________________________________________________
*** CID 1405753: Uninitialized members (UNINIT_CTOR)
/layout/svg/nsSVGGradientFrame.cpp: 34 in nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext *, mozilla::FrameType)()
28 nsSVGGradientFrame::nsSVGGradientFrame(nsStyleContext* aContext,
29 FrameType aType)
30 : nsSVGPaintServerFrame(aContext, aType)
31 , mLoopFlag(false)
32 , mNoHRefURI(false)
33 {
>>> CID 1405753: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "mSource" is not initialized in this constructor nor in any functions that it calls.
34 }
35
36 //----------------------------------------------------------------------
37 // nsIFrame methods:
38
39 nsresult
Reporter | ||
Updated•7 years ago
|
Updated•7 years ago
|
Group: core-security → layout-core-security
Reporter | ||
Comment 1•7 years ago
|
||
I think this is sec-low at worst since it's a frame class allocated in the pres arena, so there's no type confusion here. Either mSource is null, or it points to a frame that may or may not be alive but that frame is always allocated in the same arena, so frame-poisoning will save us from being exploited.
Keywords: csectype-framepoisoning,
sec-low
Updated•7 years ago
|
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → affected
status-firefox-esr52:
--- → unaffected
Assignee | ||
Comment 2•7 years ago
|
||
https://dxr.mozilla.org/mozilla-central/source/layout/svg/nsSVGGradientFrame.cpp#243 how do we mark false positives?
Reporter | ||
Comment 3•7 years ago
|
||
Could we initialize this member to nullptr in the ctor anyway, please? Even if there *currently* is a path that init mSource before it's used, it seems safer to always init it in the ctor. Also, it shuts up Coverity so that we don't have to look at this one again. :-)
Assignee | ||
Comment 4•7 years ago
|
||
I've no objections to doing that.
Updated•7 years ago
|
Blocks: coverity-analysis
Whiteboard: [CID 1405753]
Assignee | ||
Comment 5•7 years ago
|
||
Assignee: nobody → longsonr
Attachment #8865669 -
Flags: review?(mats)
Assignee | ||
Comment 6•7 years ago
|
||
Do I need any additional approval to land this?
Reporter | ||
Comment 7•7 years ago
|
||
Comment on attachment 8865669 [details] [diff] [review] patch Thanks. > Do I need any additional approval to land this? No, only sec-high/sec-critical needs sec-approval. https://wiki.mozilla.org/Security/Bug_Approval_Process
Attachment #8865669 -
Flags: review?(mats) → review+
Assignee | ||
Comment 8•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f804bb28ab999e3ae19ff5e7039f58674bbe9632
Comment 9•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f804bb28ab99
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: layout-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [CID 1405753] → [CID 1405753][adv-main55-]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [CID 1405753][adv-main55-] → [CID 1405753][adv-main55-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•